Thursday, July 20, 2017

Financially Motivated APT-style Actors Target Retail & Hospitality

A new wave of financially motivated, APT-style group, of cyber threat actors are targeting large restaurant chains with phishing emails containing malicious attachments. As early as April 2017, a new wave of the group's activity has been targeting the retail and hospitality sectors. The APT-style group has been active since 2015 and is known for their use of the Carbanak malware. The most recent campaigns leverage two new RTF droppers to deliver a variant of a known backdoor. Early campaigns were known for targeting financial institutions and banks; in 2015, targeting European banks through a banking application called the Internet Front End Banking System (iFOBS). This report describes TTPs leveraged in the recent campaigns...READ MORE

Wapack Labs has cataloged and reported extensively on APTs, cyber threat actors, phishing, malware, financial institutions, and Carbanak in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Tuesday, July 18, 2017

NotPetya: Ransomware Or Russian Wiper?

Creators of the NotPetya (also known as Petya, PetrWrap, Petya.A, Win32/Diskcoder.Petya.C, EternalPetya, Nyetya, and exPetr) continue to present NotPetya as “simple ransomware.” The developers have moved received bitcoins, sent payments to Pastebin and DeepPaste associated wallets, contacted the public, and apparently were able to decrypt one short NotPetya encrypted file. At the same time, NotPetya creators did not use the original Petya ransomware source code, and likely left no remedy for most users to recover their encrypted data, despite showing them the ransom note. These observations, together with targeting and comparative TTP data for XData and BlackEnergy3 Killdisk, allow Wapack analysts to attribute NotPetya as likely belonging to Russian APT. The Petya/NotPetya operation is likely another Russian APT targeted disruption of Ukrainian IT infrastructure and possibly an intelligence operation - yet masked as a ransomware case. At the same time, it is probable that Petya and NotPetya actors may have a master key to decrypt user files; in case the targeted disk was not destroyed and system information is available...READ MORE

Wapack Labs has cataloged and reported extensively on Petya/NotPetya, ransomware, BlackEnergy, Russian APT, wiper malware, and Ukrainian attacks in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Monday, July 17, 2017

Below the noise of Petya - Loki Bot Credential Stealing Malware

In late June 2017, Wapack Labs identified a malicious email targeting a Ukrainian FI (Financial Institution) to deliver a credential stealing malware called Loki Bot. This incident happened at the same time as the Petya/NotPetya Ransomware.

Loki Bot samples and C2’s were reported as being Petya/NotPetya ransomware. Further confusion resulted when AV detections began identifying Loki Bot as Petya/NotPetya. Loki Bot is sold in underground Tor marketplaces and can steal passwords from browsers, FTP/SSH applications, email accounts and crypto-coin wallets. Wapack Labs was able to sinkhole malicious Loki Bot C2 domains for further analysis. 

This report discusses the misattribution of Loki Bot, along with technical details of analyzed Loki Bot samples including analysis regarding the sinkholed domains and indicators of compromise.

We normally don't publish analysis in its entirety. My team has requested that we post this analysis on the blog for broader situational awareness. 


Friday, July 14, 2017

Petya/NotPetya and Really Not Petya - Loki Bot Credential Stealing Malware

In late June 2017, Wapack Labs identified a malicious email targeting Ukrainian Financial Institutions (FI) to deliver a credential stealing malware called Loki Bot. This incident happened at the same time as the Petya/NotPetya Ransomware outbreak, which also targeted Ukrainian banking infrastructure. Possibly due to the confusion generated during the initial Petya/NotPetya outbreak, Loki Bot samples and C2s were reported as being Petya/NotPetya ransomware. Further confusion resulted when Anti-virus (AV) detections began identifying Loki Bot as Petya/NotPetya. Loki Bot is sold in underground Tor marketplaces and can steal passwords from browsers, File Transfer Protocol (FTP) applications, email accounts, and crypto-coin wallets. This report discusses the misattribution of Loki Bot, along with technical details of analyzed Loki Bot samples

Get the full report here. 
Wapack Labs has cataloged and reported extensively on Loki Bot, and Loki RAT, in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Tuesday, July 4, 2017

Happy Fourth of July!

I was traveling Saturday, so I didn't get to post...

Today when we're all enjoying hot dogs and hamburgers and corn on the cob and all things American, which is exactly what we should be doing, remember, we're the...

Land of the free BECAUSE of the brave.

…and tomorrow? Back to protecting cyber in the free world…

Have a great Fourth of July!

Wednesday, June 28, 2017

Lurking Offshore: The Business Case Study for Working Together

Last week, the MPS-ISAO held a cybersecurity intelligence themed webinar, “Lurking Offshore: Active Cyber Threats Targeting Ports & Maritime”, with our partner, Wapack Labs. It’s a fascinating story about a financially motivated adversary using spear-phish to target Ports.I’m sure you are thinking, “Another scary cyber story… Why should I care?”By studying the data associated with this actor – how, when, why, and who, the case for Maritime and Port organizations working together to protect themselves from cyber adversaries is made. Cybersecurity silos need to be shattered - now.

Understanding the adversary.
Because Wapack has been tracking this adversary for some time, we have learned a lot by studying the intel.
First, this adversary is successful.  Our intel team sees an almost 100% success rate with a low detection rate (< 5%) through traditional security technology and vendor sourced data.  During the first six months of 2017, over 1,000 U.S. and European victims have been observed.
It’s a cost-effective, organized business operation. The malware being used only costs about $30 per month, and the adversary has developed a business model with specialized skills.  Also, there is high reuse between victims. So, if one Port is compromised, there is a good possibility that other Ports will be targeted using the same spear-phish email.
And, this adversary is persistent.  They improve odds of success by including supply chain partners in the scope of an attack.  In one instance where a Port was the intended victim, ten suppliers to this Port were targeted at the same time and with the same spear-phish email being used across all organizations.  The targeted suppliers were diverse too.  They included organizations who performed:   
  • Construction Consortium
  • Logistics Services
  • Oil & Gas Services
  • Consulting Services
  • Marine Transport
  • IT Services Provider
  • Multi-Modal Transport
  • Oil & Gas Engineering Services

Turning the tide.  
In 2015, The Obama administration issued two important pieces of Cybersecurity legislation.  A Presidential Executive Order (EO) was issued in February 2015 to promote private sector cybersecurity information sharing.  Section 2 of this EO states, “strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs).”  A few months later, the Cybersecurity Information Sharing Act of 2015 (CISA) was signed into law to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats.” CISA provides information sharing legal protections to organizations who participate in an ISAO.  

These two pieces of legislation led to the formation of the Maritime and Port Security ISAO, and its parent organization – the International Association of Certified ISAOs (IACI), to promote cyber resilience.   
If someone could tell you where the sharks were, wouldn’t you want to know?
The MPS-ISAO, headquartered at the Global Situational Awareness Center (GSAC) at NASA/Kennedy Space Center, is a non-profit private sector-led organization working in collaboration with government to advance Port and Maritime cyber resilience.  The core mission to enable and sustain a safe, secure and resilient Maritime and Port Critical Infrastructure through security situational intelligence, bi-directional information sharing, coordinated response, and best practice adoption supported by role-based education.
Port and Maritime organizations who subscribe to the MPS-ISAO’s cyber intelligence service have the advantage of early threat awareness provided via industry-specific, cross-sector, and global cyber intelligence along with countermeasure solutions.  They participate in a Maritime and Port community composed of stakeholders from across the industry sector who are interested in working together to achieve cyber resilience.  
Going back to the Lurking Offshore Case Study, we know that this adversary targets multiple victims within a Port’s supply chain using the same malicious email, and then reuses the email across another 8-10 Port victims.  When the email is shared into the MPS-ISAO Community, early threat awareness enables organizations to put protective measures in place.  
So, a single share can protect many.
And, the business case for working together was never stronger.
Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.

Ransomware Affecting APM Terminals

27 June 2017, According to open source reporting, numerous high-profile organizations have released statements stating that they are affected by a SMB exploit. Merck & Co, Rosneft, Boryspil International Airport, Antonov State Company, Ukrenergo, and WPP are among victim companies. The Maersk Group, on behalf of their subsidiary APM Terminals, confirmed infections in APM facilities. At the time of this report, the bitcoin (BTC) wallet associated with the ransomware has thirty-one (31) received payments totaling 3.27744736 BTC ($7908.12 USD). Maersk has issued the following statement: “We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation.” Open source reporting has confirmed that ports in Rotterdam, NL and Mobile, Alabama, US are affected and currently closed until network systems are restored. It is probable that all ports with APM facilities are affected due to the malware’s multiple lateral movement capabilities. PetrWrap ransomware is being spread using the EternalBlue SMB exploit. The malware will also leverage Windows Management Instrumentation Command-line (WMIC) and PsExec to spread internally across a network.

Wapack Labs has cataloged and reported extensively on maritime vulnerabilities and ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, June 23, 2017

The Darknet's Brickr Ransomware

Wapack Labs analysts observed an actor, on the darknet, advertising Brickr v1 Ransomware. Brickr v1’s purpose is “to be affordable, cheap and reliable product.” Buyers must contact the actor through Jabber or through the darknet forum's private messenger. Brickr v1 encrypts a user's personal files, if executed. To receive the decryption key, a ransom must be paid. As of 28 May 2017, Brickr v1 was for sale at $80.00 via Bitcoin (BTC). An article was published on how to remove Brickr Ransomware using task manager, which prompted the actor to include a new feature that will temporarily disable the task manager when executed. The actor revealed that Brickr v2 is under development and will include upgraded features. Wapack Labs will continue to monitor the forum, track all versions of this malware, and attempt to identify the actor.

Wapack Labs has cataloged and reported extensively on ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Monday, June 19, 2017

U.S. Corporate Concerns with China’s New Cybersecurity Law

On 1 June 2017, the Chinese government put an extensive new Cybersecurity law into effect. This law applies to all network operations in China, by Chinese citizens and foreign business operations alike. Many U.S. corporations operating in China have expressed concerns about how this law will impact their ability to operate under the more intrusive Chinese government control. The provisions with the potential for the greatest negative impact on foreign firms include:
  • Definition of network operators. The scope of the Cybersecurity Law provides control over not just telecom operators and internet firms but also banking institutions, insurance companies, securities companies, providers of cybersecurity products and services, and essentially any enterprise with a website in China or that provides network services. The American Chamber of Commerce in China has said the Law “will impact almost every company that operates in China.”
  • Requirements for “critical information infrastructure” operators. The Law defines these to include “public communications and information services, energy, finance, transportation, water conservation, public services, e-governance,” and other enterprises that could harm national security or the economy if damaged. Foreign corporations included in this category now face restrictions on equipment and services they can use, and they are vulnerable to inspection and intrusion by the Chinese government.
  • Restrictions on sending data outside China. The Law states that “personal information and other important data from operations within the PRC shall be stored within mainland China.” Business information and data on Chinese citizens cannot be transferred abroad without permission, and that would be contingent on intrusive “security assessments” by the Chinese government. Some U.S. analysis suggests that this could also prohibit the export of economic, technological, or scientific data considered to “pose a threat to national security or the public interest.”
The situation for foreign firms is uncertain at present because details on the scope of the Law and how it will be enforced are still unavailable. The initial impression among U.S. businesses is that the potential for intrusion and interruption is certainly considerable.

Wapack Labs has cataloged and reported extensively on China's cybersecurity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, June 16, 2017

OpIcarus2017, a Limited Risk

In June 2017, Wapack Labs Analysts observed a faction of the Anonymous collective attempting to launch OpSacred, which is the fifth phase of OpIcarus2017; a multiphase operation aimed to target central banks and other financial institutions (i.e.: International Monetary Fund and the World Bank). The campaign attracted hundreds of participants, yet failed to attract AnonOps support, create a dedicated IRC channel, attract experienced organizers, or followup after their initial start day - producing limited effects. While the operation has been badly organized, it may become a training ground for future hacker collaborations, especially since the Anonymous collective has been observed using GitHub to collect and share tools...READ MORE

Wapack Labs has cataloged and reported extensively on Anonymous' operations in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, June 9, 2017

IBNS Malicious Infrastructure Targets Financial Institutions

In the last days of May, Wapack Labs identified a large email delivery infrastructure targeting multiple industries including finance and transportation. Wapack Labs dubbed this network “IBNS”. The infrastructure consists of a single name server and over 17k typo-squatted domains. The size of this recently discovered IBNS network is unprecedented. Wapack Labs believes that IBNS is a malicious provider that uses web automation and reseller services to facilitate their criminal activities. The actors sell through channels, using resellers instead of selling direct, creating a level of separation between themselves and the users. Tactics Techniques and Procedures (TTPs) associated with the activity suggest attribution to a known Nigerian fraud group. 


I hear every day about the stupid users clicking through, and the CISO that talks about the problem being in the human. Honestly? I get kinda mad when I hear it. Why? These guys are using automated psychology to overwhelm, confuse and take advantage of unsuspecting users.

It means to me that the CISO who said it has never seen well crafted emails meant to slip past the goalie.  Or perhaps they don't understand the idea that users only have so much will power, or that my own out-of-band email account (an AOL account that I've had for probably 20 years) receives far more spam than it does legitimate email.

Bad guys are smart. They know that users have only a limited amount of will power, and after seeing hundreds of spam per day, the idea that some of them are going to be opened —out of sheer exhaustion and confusion, is 100%.

Overwhelm, confuse, create fatigue, repeat, add additional sources of confusion, repeat again.

ONE typosquat dump that we identified had over 17,000 domains that look a heck of a lot like credit card and payment company domains. CapitalOne? Capital1? CapitalONE? Capital-one? My typo squats are terrible but you get the idea. Imagine dozens of variations created programmatically and then used to overwhelm.

Folks, it's not about stupid users. It's about information security folks not understanding the strategy of fatigue and confusion and then how to protect those (your) lambs as they're being lead (by Nigerian scammers, Lazarus actors, or APT) to slaughter.  It's like the door to door salesman that keeps throwing features, prices, and deals at you until you sign just together the guy out of your house.  There's psychology involved.

…and you only need one to slip past the goalie to be infected, and many times, you'll have absolutely no idea that you've been p0wned.

Wapack Labs has been running this thing that we call the Cyber Threat Analysis Center. We scour primary sources to identify intended victims before they become victims. The graphic above is a sample of a report that we provide on a weekly basis to one of our folks. We give them normalized blacklists in periodic chunks of that they can drop into their defenses —either their intrusion prevention systems, SEIM, or whatever they have.  They can wait for us to give it to them or they can pull it programmatically via API on whatever frequency that they desire.

Want to know more? Drop us a note through the website, or at

OK folks.. it's our first nice day in a while up here in NH and that lawn (hay field?) isn't going to mow itself.

Oh, before I forget, if you're local, I hope to see some of you at our Granite State Security cookout Monday afternoon… nothing heavy, just burgers and beer but it's supposed to be nice. Let's have some fun! Here's the link to the meet up… I've invited the local Open Source community and security folks.

Have a great weekend!